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DETAILED ACTION 

1 . This office action is in response to applicants' amendment filed on 03/12/2008. 

2. Claims 1-3 and 5-8 are pending. 

3. Claims 7 and 8 are newly added. 

4. Claim 4 cancelled. 

5. Claims 1-3, 5 and 6 are amended. 

6. Applicant's arguments have been fully considered but they are not persuasive. 

Response to Arguments 
1 . Applicants with regards to the Double Patenting rejection on page 8 of the 
remarks argue that "The claims of the copending application recite using "statistics" on 
incoming and outgoing calls and taking action to mitigate unsolicited calls. The claims 
do not recite either detection of DoS attacks or comparing INVITE messages with 
Ringing messages, and the disclosure of the copending application makes clear that the 
invention involves neither DoS attacks nor Ring messages. In fact, the claims of the 
copending application are directed to an entirely different and at best tangentially- 
related invention, and recite none of the features claimed in the present application. 
Accordingly, the double patenting rejection is believed to be improper". 

Examiner respectfully disagrees and asserts that the instant claiml is 
substantially the same as copending claim 1 for the following reasons: 
a) The copending claim 1 recites "comparing the total of said incoming messages to 
said outgoing messages of each setup and termination message type for a given user" 
which is substantially the same as "detecting an imbalance between an accounting of 
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said SIP INVITE and SIP 180 Ringing messages resulting from a denial of service 
attack" recited by the instant claim 1 . Because the SIP INVITE messages are the 
incoming messages from a user requesting a call session and the SIP 180 Ringing 
messages are one of the three kinds of outgoing messages in a SIP communication 
(outgoing messages: SIP 180 Ringing messages, SIP 100 TRYING messages and SIP 
200 OK messages) that the requesting user receives for each requesting message 
(see, for example, March et al, 2003/043740, paragraphs [0064]-[0066] and other 
related literatures to session initiation protocol (SIP) for voice and multimedia 
communications). Therefore, detecting an imbalance between an accounting of SIP 
INVITE and SIP 180 Ringing messages is the same as comparing the total of said 
incoming messages to said outgoing messages. 

b) The copending claim 1 recites "responding to a statistically significant imbalance 
in the comparison of both types of message statistics for the given user, taking an 
action to mitigate unsolicited calls from that user", which is the same as "providing an 
indication of the presence of a current DoS attack on said proxy server based on 
detection of said imbalance" recited by the instant claim 1 . Because "responding to..." is 
equivalent to "providing an indication of..." and "unsolicited calls from that user" is the 
same as "current DoS attack on said proxy server". 

2. Applicants with regards to the rejection of claims under 35 U.S.C. 102(e) on 
pages 8 and 9 of the remarks argue that "The "rate" of incoming data units exceeding a 
threshold is clearly not the same or analogous to the claimed imbalance between set- 
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ups (INVITE messages) and rings (Ringing messages), nor is the matching a "pattern" 
of incoming data units suggestive of the claimed imbalance". 

Examiner respectfully disagrees and asserts that one of the most common types 
of the DoS attacks is when a user sending excessive messages to a boarder system in 
a network such as a proxy server, a firewall, a gateway or any device that controls the 
incoming messages in order to flood the border system rendering it unavailable. In a 
SIP communication, for each receiving message (i.e., an INVITE message) the boarder 
system tries to send a SIP 180 Ringing message (i.e., one of the three types of outgoing 
message). If the number of INVITE messages is too large, the boarder system will 
become very busy to respond to them and cannot respond to legitimate requests. The 
flooding scheme in a DoS attack can be expressed either by stating that the number of 
incoming messages is too high (i.e., the rate of the incoming messages is high or more 
than expected or more than a threshold) so that the receiving boarder system is 
inundated with messages or stating that the difference between the incoming messages 
and the outgoing messages is very large (i.e., the number of the incoming messages is 
too high and the number of outgoing messages is too little), which are the same. 
Therefore, if March compares the rate of the INVITE messages against a predefined 
threshold to detect a DoS attack it would be the same as if it subtracts the number of 
SIP 180 Ringing messages from the INVITE messages to detect a DoS. Because in a 
non-DoS SIP communication the number of INVITE messages is equal to the number of 
SIP 180 Ringing messages (see, for example, the descriptions of Fig. 3 in March). 
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3. Examiner, however, in light of the above submission maintains the previous 
rejections while considering the amendments to the claims and added new claims as 
follows. 

Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in 
public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise 
extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple 
assignees. See In re Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 
F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); 
In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and, In re Thorington, 418 F.2d 528, 163 
USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1 .321(c) may be 
used to overcome an actual or provisional rejection based on a nonstatutory double 
patenting ground provided the conflicting application or patent is shown to be commonly 
owned with this application. See 37 CFR 1 .130(b). 

Effective January 1 , 1994, a registered attorney or agent of record may sign a 
terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 
37 CFR 3.73(b). 

Claims 1 , 5 and 6 are provisionally rejected under the judicially created doctrine of 
obviousness-type double patenting as being unpatentable over claims 1, 2, 4 and 10-12 
of copending Application No. 10/849,830. Although the conflicting claims are not 
identical, they are not patentably distinct from each other because the claims of this 
application are broader than the claims 1 and 10 of the copending application. For 
example, the claims of the instant application do not expressly specify that collecting 
statistics on incoming and outgoing call setup and termination signaling message types 
on a per user basis in a given time period. In general, the combined limitations of claims 
1, 2 and 4 and the combined limitations of claims 10-12 of the co-pending application 
correspond to the limitations of claims 1, 5 and 6 in the instant application. The co- 
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pending claims 2 and 1 1 recite that a proxy server collects the statistics of messages 
and the co-pending claims 4 and 1 2 recite the use of a Session Initiation Protocl (SIP). 
These limitations correspond to "having at least one proxy server incorporating a 
Session Initiation Protocl (SIP)" in the claims 1, 5 and 6 of the instant application. 
This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

Claim Rejections - 35 USC § 102 

Claims 1-3 and 5-8 are rejected under 35 U.S.C. 102(e) as being anticipated by 
March et al (2003/043740; hereinafter March). 

Regarding claim 1, March discloses: 

A method of detecting denial of service (DOS) attacks (see Fig. 7, paragraphs 0029 and 
0097) in an Internet accessible network having at least one proxy server (see paragraph 
0018 and 0020) incorporating a session initiation protocol (SIP), said session initiation 
protocol includes INVITE (INV) messages that request set-up of an Internet telephone 
call and SIP 180 messages indicate ringing (see paragraph 0025), comprising the steps 
of: detecting an imbalance between an accounting of said SIP INVITE and SIP 180 
Ringing messages resulting from a denial of service attack (see paragraphs 0005, 0029 
and 0097); and 

providing an indication of the presence of a current DoS attack on said proxy server 
based on detecting of said imbalance (see Fig. 7, block 616 and paragraphs 0029, 0101 
and 0103). 
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Regarding claim 2, March discloses: 

The method of detecting denial of service attacks in an Internet accessible network as 
defined in claim 1 wherein the number (H) of INVITE messages (see paragraphs 0005, 
0038 and 0100) including credentials that are sent from a user client in response to an 
authentication required (407) message from the proxy server (see Fig. 3, paragraphs 
0066 through 0072 and 0085), said credentials being information used by the proxy 
server to authenticate the INVITE messages (see paragraphs 0102 and 0103, where 
the identifier corresponds to the recited credentials), are removed from the accounting 
before the balance is tested such that the equation: 

INVo + INVc - H = Ni 80 
where INV 0 is the number of INVITE messages without said credentials, INVc is the 
number of INVITE messages with said credentials, and N180 is the number of said 180 
messages, is not true within a predetermined margin of error (see paragraphs 0029, 
0097, 0100 and 0101 , where the rate of incoming messages, the traffic pattern and the 
threshold are the indication of a balance between the incoming messages and Ok 
outgoing messages) then the presence of a denial of service attack on the proxy server 
is indicated by the inequality (see paragraphs 0005 and 0103). 
Regarding claim 3, March discloses: 

The method of detecting denial of service attacks in an Internet accessible network as 
defined in claim 2 further including causing said proxy server to maintain a call 
information table for determining the value of H (see paragraphs 0028 and 0036). 

Regarding claim 5, March discloses: 
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A system for detecting denial of service attacks against session initiation protocol 
elements in an Internet accessible network having at least one proxy server, wherein 
said proxy server for determining if the number of INVITE messages including 
credentials (INVc) sent to said proxy server from user clients (see paragraphs 0005, 
0038 and 0100) in response to an authentication requirement exceeds a predetermined 
level that indicates a DoS attack (see Fig. 3, SIP 200 OK message 324 and ACK 
message 326), said credentials being information used by the proxy server to 
authenticate the INVITE messages (see paragraphs 0102 and 0103, where the identifier 
corresponds to the recited credentials). 
Regarding claim 6, March discloses: 

A system for detecting denial of service attacks in an Internet accessible network having 
at least one proxy server (see paragraph 0018 and 0020) incorporating session initiation 
protocol (SIP) (see paragraph 0025), wherein said proxy server includes means for 
detecting an imbalance between an accounting of SIP INVITE and SIP 180 Ringing 
messages (see paragraphs 0005, 0029, 0065 and 0097) that indicates the presence of 
a current denial of service attack on said proxy server (see paragraphs 0005 and 0103). 
Regarding claim 7, March discloses: 

A system for detecting denial of service attacks against session initiation protocol 
elements in an Internet accessible network as claimed in claim 5, wherein said means 
creates a call-info table for use in tracking said INVITE messages (see paragraphs 
0028, 0036 and 0097). 
Regarding claim 8, March discloses: 
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A system for detecting denial of service attacks against session initiation protocol 
elements in an Internet accessible network as claimed in claim 6, wherein said means 
creates a call-info table (see paragraphs 0028, 0036 and 0097). 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to ABDULHAKIM NOBAHAR whose telephone number is 
(571)272-3808. The examiner can normally be reached on M-T 8-6. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. 

/Abdulhakim Nobahar/ 
Examiner, Art Unit 2132 

June 26, 2008 
/Gilberto Barron Jr/ 

Supervisory Patent Examiner, Art Unit 2132 



